Virtualization is Risky Business?

Over the last couple of months, the topic of virtualization and security (or lack thereof) continues to surface as one of the more intriguing topics of relevance in both the enterprise and service provider environments and those who cover them. From bloggers to analysts to vendors, virtualization is a greenfield for security opportunity and a minefield for the risk models used to describe it.

There are many excellent arguments being discussed which highlight in an ad hoc manner the most serious risks posed by virtualization, and I find many of them accurate, compelling, frightening and relevant. However, I find that overall, to gauge in relative terms the impact that these new combinations of attack surfaces, vectors and actors pose, the risk model(s) are immature and incomplete.

Most of the arguments are currently based on hyperbole and anecdotal references to attacks that could happen. It reminds me much of the ballyhooed security risks currently held up for scrutiny for mobile handsets. We know bad things could happen, but for the most part, we’re not being proactive about solving some of the issues before they see the light of day.

The panel I was on at the RSA show highlighted this very problem. We had folks from VMWare andRedHat in the audience who assured us that we were just being Chicken Little’s and that the risk isboth quantifiable and manageable today. We also had other indications that customers felt that while the benefits for virtualization from a cost perspective were huge, the perceived downside from the unknown risks (mostly theoretical) were making them very uncomfortable.

Out of the 150+ folks in the room, approximately 20 had virtualized systems in production roles. About 25% of them had collapsed multiple tiers of an n-tier application stack (including SOA environments) onto a single host VM. NONE of them had yet had these systems audited by any third party or regulatory agency.

Rot Roh.

The interesting thing to me was the dichotomy regarding the top-down versus bottom-up approach todescribing the problem. There was lots of discussion regarding hypervisor (in)security and privilege escalation and the like, but I thought it interesting that most people were not thinking about the impact on the network and how security would have to change to accommodate it from a bottoms-up (infrastructure and architecture) approach.

The notions of guest VM hopping and malware detection in hypervisors/VM’s are reasonably well discussed (yet not resolved) so I thought I would approach it it from the perspective of what role, if any, the traditional network infrastructure plays in this.

Thomas Ptacek was right when he said "…I also think modern enterprises are so far from having reasonable access control between the VLANs they already use without virtualization that it’s not a “next 18 month” priority to install them." And I agree with him there. So, I posit that if one accepts this as true then what to do about the following:

If now we see the consolidation of multiple OS and applications on a single VM host in which the bulk of traffic and data interchange is between the VM’s themselves and utilize the virtual switching fabrics in the VM Host and never hit the actual physical network infrastructure, where, exactly, does this leave the self-defending "network" without VM-level security functionality at the "micro perimeters" of the VM’s?

I recall a question I asked at a recent Goldman Sachs security conference where I asked Jayshree Ullal from Cisco who was presenting Cisco’s strategy regarding virtualized security about how their approach to securing the network was impacted by virtualization in the situation I describe above.

You could hear cricket’s chirp in the answer.

Talk amongst yourselves….

P.S. More excellent discussions from Matasano (Ptacek) here and Rothman’s bloggy. I also recommend Greg Ness’ commentary on virtualization and security @ the HyperVisor here.

Great post Chris! IMHO virtualization will enable a higher level of security for those teams who embrace new thinking and understand the new "virtual world" of heightened complexity, mobility and quantity. The hypervisor is a strategic point of leverage…
My Always On blog on the topic – http://alwayson.goingon.com/permalink/post/9944

Great post, Greg; I think that the discussion (nee argument) regarding security at the HyperVisor level presents the next battleground for where traditional security providers will tread.
I think also that given the micro-perimeterization and inability for the "network" to protect inter-VM communications, that this will become a necessary component to a layered security model in the virtualized world.
Chris

Agree Chris. The key will be which vendors/pros grasp the power and challenge of securing pools of processing power… versus the old physical way of thinking. I do think its the equivalent of a "new physics" for network security with exponential increases in complexity, change/mobility and quantity. Thinking in terms of physical location, static signatures and all of the trappings of the physical data center will be a road to perdition for those charged with securing virtual data centers.

Last night Gartner's Neil MacDonald published a paper on security and virtualization. For Gartner clients its ID# G00144828 and entitled: "Security Considerations and Best Practices for Securing Virtual Machines"
FYI
G

http://virtual-jay.blogspot.com/2007/04/blue-lane…
From Jay Rogers blog on virtualization…
“I have been testing both the Virtual and Physical solutions Blue Lane provides, and I have been very impressed. We put in in place on some very “dirty” segments and now we know what is attacking our systems. Also eases some of the burden of Microsoft’s patch tuesday!”
Thanks again,
Greg